Thomas Simson, CIO, talks about how Rapid7 Nexpose is simple to use and still meets the bank's security needs even after the organization doubled in size. Today Bridgehampton National Bank receives "stellar audits" and relies upon Nexpose to scan hundreds of workstations and a virtualized server environment.
Well, we're a bank. We have 25 branches. We're in a Microsoft network environment. Obviously, security is important at a bank. We've used Nexpose for probably the past five years. We have at least 400 workstations that we monitor. We have a virtualized server environment that we also use Nexpose to review. And then we use Nexpose to monitor any of the vulnerabilities on any of the machines on the internal network.Show more Show less
It was very easy to install. It was a pretty simple installation. It discovered the entire network. It gave us a list of all the devices and machines that were vulnerable. It gave us an easy list of and easy directions on how to patch them all. And so we've been basically keeping up with that. Once we got the network cleaned up, we've been monitoring that continuously. We meet at least once a month, a lot of times more frequently than that, to review the list as a group. Our staff has become much more sophisticated since that. That was several years ago. The bank has basically doubled in size since then, so we've needed a lot more sophistication as the bank has gotten more complex, and it's sort of grown right along with us.
For the past two years, we've gotten really stellar audits from both our regulators and our external auditors.
To be honest with you, we really haven't had to use support much at all because the product has been so simple to use. Because the instructions that come down for the remediation are so simple and so easy to use that we find that our junior staff can actually take the instructions and take care of most of the problems. It's only the really nettlesome problems that require some of the really senior staff to take a look at.
Based on our experience with Nexpose, we've decided to sort of expand the relationship, and we're going to be using the Metsploit tool and also some of the social engineering testing because those are areas that obviously now the threat environment has changed, and those are areas that require a little more horsepower. We can rely on Nexpose to sort of clear away all of the low hanging fruit and just get right to the really, really nettlesome problems that need to be dealt with by maybe someone who's more senior.